SpringLDAP连接LDAPS证书报错问题及解决
一、问题背景
Java操作LDAP一般通过Spring LDAP比较方便,一般我们都是使用的常规的非加密的389端口
常规的初始化如下:
LdapContextSource contextSource = new LdapContextSource(); contextSource.setUserDn(config.getUsername()); contextSource.setPassword(config.getPassword()); String url = "ldap://" + config.getServer() + ":" + config.getPort(); contextSource.setUrl(url); contextSource.setBase(config.getBaseDn()); contextSource.setAnonymousReadOnly(false); contextSource.setPooled(false); contextSource.afterPropertiesSet(); this.ldapTemplate = new LdapTemplate(contextSource); this.ldapTemplate.setIgnorePartialResultException(true);
但是最近遇到一个使用证书加密环境的LDAP,即LDAPS(LDAP+SSL),使用的是636端口,再使用上述的配置,则会报错,可能会报以下的未找到合法证书的错误:
simple bind failed: 172.16.10.2:636; nested exception is javax.naming.CommunicationException: simple bind failed: 172.16.10.2:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
二、解决方案
一般我们在Java使用HTTPS客户端的时候为了避免证书报错,一般会将客户端证书导入到JDK中,但是有些环境的证书是自签名的证书,导入也不一定能解决问题。
因此多数也会通过X509TrustManager和SSLSocketFactory绕过证书校验,所以我们对于LDAPS也采用同样的思路来解决,网上有类似的解决方案,但是集成之后可能还是存在以下的报错:
org.springframework.ldap.CommunicationException: simple bind failed: 172.16.10.2:636; nested exception is javax.naming.CommunicationException: simple bind failed: 172.16.10.2:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 172.16.10.2 found]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:578)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:1617)
simple bind failed: XXXXX.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: XXXXX.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching XXXXX.com found.]
org.springframework.ldap.CommunicationException: simple bind failed: 172.16.10.2:636; nested exception is javax.naming.CommunicationException: simple bind failed: 172.16.10.2:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:578)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:1617)
我的解决方案分为以下几个步骤,能规避以上错误:
(1)自定义SSLSocketFactory
package com.bugdongdong.utils.tools.ldap; import javax.net.SocketFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.SecureRandom; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; public class CustomSSLSocketFactory extends SSLSocketFactory { private SSLSocketFactory socketFactory; public CustomSSLSocketFactory() { try { SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(null, new TrustManager[]{new DummyTrustmanager()}, new SecureRandom()); socketFactory = ctx.getSocketFactory(); } catch (Exception ex) { ex.printStackTrace(System.err); } } public static SocketFactory getDefault() { return new CustomSSLSocketFactory(); } @Override public String[] getDefaultCipherSuites() { return socketFactory.getDefaultCipherSuites(); } @Override public String[] getSupportedCipherSuites() { return socketFactory.getSupportedCipherSuites(); } @Override public Socket createSocket(Socket socket, String string, int num, boolean bool) throws IOException { return socketFactory.createSocket(socket, string, num, bool); } @Override public Socket createSocket(String string, int num) throws IOException, UnknownHostException { return socketFactory.createSocket(string, num); } @Override public Socket createSocket(String string, int num, InetAddress netAdd, int i) throws IOException, UnknownHostException { return socketFactory.createSocket(string, num, netAdd, i); } @Override public Socket createSocket(InetAddress netAdd, int num) throws IOException { return socketFactory.createSocket(netAdd, num); } @Override public Socket createSocket(InetAddress netAdd1, int num, InetAddress netAdd2, int i) throws IOException { return socketFactory.createSocket(netAdd1, num, netAdd2, i); } /** * 绕过证书校验 */ public static class DummyTrustmanager implements X509TrustManager { public void checkClientTrusted(X509Certificate[] cert, String string) throws CertificateException { } public void checkServerTrusted(X509Certificate[] cert, String string) throws CertificateException { } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } } }
(2)自定义支持SSL的SSLContextSource
package com.bugdongdong.utils.tools.ldap; import org.springframework.ldap.core.support.LdapContextSource; import javax.naming.Context; import java.util.Hashtable; public class SSLLdapContextSource extends LdapContextSource { public Hashtable<String, Object> getAnonymousEnv(){ // 禁用jdk8以上对ldap的端点校验 System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); Hashtable<String, Object> anonymousEnv = super.getAnonymousEnv(); anonymousEnv.put("java.naming.security.protocol", "ssl"); anonymousEnv.put("java.naming.ldap.factory.socket", CustomSSLSocketFactory.class.getName()); anonymousEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); return anonymousEnv; } }
(3)构建支持SSL的LdapTemplate
// 普通ldap连接使用普通的Context配置 LdapContextSource contextSource = new LdapContextSource(); String url = ""; if (DataSourceLdapConfig.TRANSPORT_TYPE_CLEAR.equals(config.getTransportType())) { url = "ldap://" + config.getServer() + ":" + config.getPort(); } else if (DataSourceLdapConfig.TRANSPORT_TYPE_LDAPS.equals(config.getTransportType())) { url = "ldaps://" + config.getServer() + ":" + config.getPort(); // ldaps使用自定义的支持SSL的Context配置 contextSource = new SSLLdapContextSource(); } contextSource.setUserDn(config.getUsername()); contextSource.setPassword(config.getPassword()); contextSource.setUrl(url); contextSource.setBase(config.getBaseDn()); contextSource.setAnonymousReadOnly(false); contextSource.setPooled(false); contextSource.afterPropertiesSet(); this.ldapTemplate = new LdapTemplate(contextSource); this.ldapTemplate.setIgnorePartialResultException(true);
配置完成后,测试连接即可。
三、问题讨论
需要注意的是,上述有一项配置非常重要,即
System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
这项配置是JDK8之后需要加上的,官方在JDK8更新后加了端点校验,即使是通过TrustManager绕过了证书校验,有可能还是会因为证书不匹配报错,当然该项配置除了上述这种方式写入,也可以通过JVM参数在程序启动时加入
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
附该项校验使用的源码
以下是官方对该项配置的解释:
Java 8 Update 181 (8u181)
发行版要点说明
IANA Data 2018e
- JDK 8u181 包含 IANA 时区数据版本 2018e。
- 有关详细信息,请参阅 JRE 软件中的时区数据版本。
**删除的功能:**删除 Java DB
- Java DB 也称为 Apache Derby,已在本发行版中删除。
- 建议您直接从以下网址的 Apache 项目获取最新的 Apache Derby:
- https://db.apache.org/derby
- JDK-8197871(非公共)
**更改:**改进 LDAP 支持
- 已在 LDAPS 连接上启用端点识别。
- 为提高 LDAPS(TLS 上的安全 LDAP)连接的强健性,默认情况下已启用端点识别算法。
- 请注意,可能在一些情况下,以前能够成功连接到 LDAPS 服务器的一些应用程序可能不再能够成功连接。如果此类应用程序认为合适的话,它们可能会使用新系统属性禁用端点识别:com.sun.jndi.ldap.object.disableEndpointIdentification。
- 定义此系统属性(或者将它设置为 true)可禁用端点识别算法。
参考资料
- https://stackoverflow.com/questions/30546193/spring-ldapcontextsource-ignores-sslsocketfactory/30573130
- https://docs.spring.io/spring-ldap/docs/2.3.3.RELEASE/reference/
- https://java.com/zh-CN/download/help/release_changes.html
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持脚本之家。
相关文章
mybatis中association和collection的使用与区别
在 MyBatis 中,<association> 和 <collection> 是用于配置结果映射中关联关系的两个元素,本文主要介绍了mybatis中<association>和<collection>的使用与区别,具有一定的参考价值,感兴趣的可以了解一下2024-01-01Java利用openoffice将doc、docx转为pdf实例代码
这篇文章主要介绍了Java利用openoffice将doc、docx转为pdf实例代码,分享了相关代码示例,小编觉得还是挺不错的,具有一定借鉴价值,需要的朋友可以参考下2018-01-01logback EvaluatorFilter实现同时记录多个level级别的日志
这篇文章主要介绍了logback EvaluatorFilter实现同时记录多个level级别的日志方法详解,有需要的朋友可以借鉴参考下,希望能够有所帮助,祝大家多多进步,早日升职加薪2023-11-11
最新评论